subscribe: Daily Newsletter

 

Balancing usability and security

0 comments

There are several facts that any organisation wishing to secure itself against hackers needs to face. Firstly, if a threat actor really wants to access your system he will. There are too many layers – called the attack surface – each containing their own vulnerabilities, essentially rendering total protection impossible.

Secondly, there is no silver bullet. There is not one, single solution available on the market today that offers 100% protection, and anyone telling you differently is lying.

So says Simon Campbell-Young, CEO of Phoenix Distribution. “Another harsh reality is that implementing security tools and solutions is only one piece of the puzzle. Too often, security severely impacts on usability, forcing businesses to tread a fine line, doing trade-offs between the two. Security is most often the loser in this fight, meaning that security without usability simply won’t work.”

The first thing security professionals need to look at, he explains, is a way to enable the business to do what it needs to do, safely. “This goes over and above making the activity itself secure, it must be secure in a way that doesn’t impact on a user’s ability to actually do what he or she needs to.”

“Herein lies the fundamental paradox relating to information security. As security increases, the usability of the secured system decreases. Let’s look at a cellphone. To completely secure a device, you’d need to turn it off and lock it in a secure place. 100% security achieved yes, as the cost of rendering the device 100% unusable.”

He says finding a balance between effective security measures and usability of the data or system being secured is key. “While protecting an organisation’s information is crucial, a workable, effective approach to security must ensure that the systems on which that data resides and the networks through which the data is accessed are both secure.”

Some businesses adopt an ‘in-depth’ security approach, which sees multiple layers of protection being deployed at all layers – the network, email, endpoint and suchlike. “All critical and proprietary data must be identified and accounted for when formulating a cyber security plan. Moreover, it is no use looking at data assets within the organisation only, but also data assets held by third-party partners such as suppliers and vendors. Too often a breach occurs because a third-party partner has been lackadaisical about security measures.”

When deciding on security solutions and approaches, a business must bear in mind that any tools must address not only the security of the data, but it’s accessibility and integrity too. And paramount, is that security must not render systems or processes unusable, he says.

“Security officers need to identify the most critical assets and be aware of what measure are already in place to protect them. From there, they need to decide which risks are acceptable, and strike the balance between these risks versus reward. Ultimately they are on a mission to find a balance between business enablement and protection. Too often, usability is sacrificed, giving security a bad rap.” Campbell-Young concludes.